The Family Educational Rights and Privacy Act (FERPA) is designed to protect students and families from unlawful use and release of private data. It firmly undergirds how Arroyo Research Services handles data confidentiality and security, and it most often requires strict de-identification and/or prior written consent, if any access is allowed, before data is provided to third parties for the purposes of independent research.
Unfortunately, we find FERPA is often misinterpreted to mean that identifiable or non-consented data may never be released. That’s not actually the case. In very specific situations data sharing is allowable, and vendors and educators have to be aware of the differences on a case by case basis. Per the FERPA General Guidance for Students issued by the U.S. Department of Education:
“One of the exceptions to the prior written consent requirement in FERPA allows “school officials,” including teachers, within a school to obtain access to personally identifiable information contained in education records provided the school has determined that they have “legitimate educational interest” in the information. Although the term “school official” is not defined in the statute or regulations, this Office generally interprets the term to include parties such as: professors; instructors; administrators; health staff; counselors; attorneys; clerical staff; trustees; members of committees and disciplinary boards; and a contractor, volunteer or other party to whom the school has outsourced institutional services or functions. “( FERPA General Guidance for Students, Disclosure of Education Records, paragraph 2)
In some instances, Arroyo Research Services is hired by school systems to perform work that would normally be conducted by an internal office of research and evaluation (e.g. in one case, we analyzed the impact of state test interruptions on student growth scores for a large urban school district that did not have the internal capacity to do so; this work fit the definition of “outsourced institutional services or functions”).
USDOE FERPA guidance further exempts most contracted third-party evaluations of curricular innovations or school programs designed to improve instruction; this is in fact the most often contracted form of third-party evaluation:
“There are several other exceptions to FERPA’s prohibition against non-consensual disclosure of personally identifiable information from education records, some of which are briefly mentioned below. Under certain conditions (specified in the FERPA regulations), a school may non-consensually disclose personally identifiable information from education records:
…to organizations conducting studies for or on behalf of the school making the disclosure for the purposes of administering predictive tests, administering student aid programs, or improving instruction;” (FERPA General Guidance for Students, Disclosure of Education Records, paragraph 11)
Clearly not exempt are third-party studies in which no relationship between the firm and the school system exists. For example, when a publisher asks Arroyo Research Services to conduct a randomized controlled trial (RCT) of a curricular innovation, all related data requests are subject to the full requirements of FERPA for de-identification and, where applicable, consent. Key to staying within both the letter and spirit of the law is clarity, both with communication between the school system and researchers, and especially with contracts and agreements, about whether the researchers are working on behalf of the school system, or whether the school system is participating in external research.